In the last year, the administration has unveiled a flurry of sanctions against North Korean hacking groups, front companies and IT workers, and blacklisted multiple cryptocurrency services they use to launder stolen funds. Earlier this month, national security adviser Jake Sullivan
announced a new partnership
with Japan and South Korea aimed at cracking down on Pyongyang’s crypto bonanza — thereby choking off money to its nuclear and conventional weapons programs.
“In countering North Korean cyber operations, our first priority has been focusing on their crypto heists,” Anne Neuberger, the National Security Council’s top cybersecurity official, said in an interview.
The stepped-up effort to blunt North Korea’s cyber operations is fueled by growing alarm about where the fruits of those attacks are going, Neuberger said.
Hacking, she argued, has enabled North Korea to “either evade sanctions or evade the steps the international community has taken to target their weapons proliferation … their missile regime, and the growth in the number of launches we’ve seen.”
Poor regulation and shoddy security in the fast-growing cryptocurrency industry, which is dominated by start-ups, make it an easy target for Pyongyang’s hackers. Because of crypto’s inbuilt privacy features and the fact that it can be sent across borders at the click of a mousepad, it also offers a powerful tool to circumvent sanctions.
North Korea has
conducted roughly 100 ballistic missile tests
in the last year, and it staged its first intercontinental ballistic missile test
in five months
on Monday. Between November and August, it also exported
more than a million artillery shells
to Russia, according to South Korean intelligence services.
U.S. officials increasingly believe the key to slowing that type of activity lies at the intersection of hacking and cryptocurrency.
Last year, Pyongyang-linked hackers
stole roughly $1.7 billion
worth of digital money, according to estimates from cryptocurrency tracing firm Chainalysis.
And in May, Neuberger estimated
that about half
of North Korea’s missile program is funded by cyberattacks and cryptocurrency theft.
North Korean hackers “directly fund” North Korea’s weapons of mass destruction and ballistic missile programs, said State Department spokesperson Vedant Patel.
Until recently, North Korea’s cyber prowess has garnered relatively little attention in Washington. Fear of digital strikes spilling over from the conflicts in Ukraine and Gaza, or during a possible Chinese invasion of Taiwan, has overshadowed the issue, experts say.
“People tend to think, … how could the quote-unquote ‘Hermit Kingdom’ possibly be a serious player from a cyber perspective?” Adam Meyers, a senior vice president at cybersecurity firm CrowdStrike, said in an interview. “But the reality couldn’t be further from the truth.”
Pyongyang’s hackers have repeatedly caught Western companies off-guard with their technical ingenuity, an ability to blend old-fashioned spy tricks with cyber operations and sheer brazenness, according to private sector researchers.
And while those who study North Korean cyber operations say their proficiency at stealing cryptocurrency represents a major challenge to the West today, they also argue it would be dangerous to pigeonhole Pyongyang as little more than a money-stealing threat.
By some metrics, North Korea has launched more than a dozen supply-chain attacks in the last year — a sophisticated tactic in which hackers compromise the software delivery pipeline to get nearly unfettered access to a wide range of companies.
The significance of those attacks has been “extremely underplayed in the public,” said Tom Hegel, a threat researcher at cybersecurity firm SentinelOne, because they caused little harm outside the direct victims of the attacks — often individuals or obscure cryptocurrency startups.
But some of the same techniques they’ve honed in targeting those firms could have been used to cause widespread digital disruption, say cybersecurity experts.
In April, researchers at cybersecurity firm Mandiant uncovered that North Korean hackers had pulled off the
first publicly known instance
of a “double” software supply-chain hack — jumping from one software maker into a second and from there to the company’s customers.
Mandiant assessed the hackers were after cryptocurrency. Had they wanted to, however, the North Koreans could have used tactics like that to inflict “a massive level of damage,” said SentinelOne’s Hegel.
What North Korea “is able to do on a global scale, no one has replicated,” added Mick Baccio, global security adviser at security firm Splunk.
Asked about her level of concern that North Korean hackers had grown more capable and could pivot to destructive activity, Neuberger acknowledged Pyongyang’s hackers are “capable, creative and aggressive.”
But she said the White House was confident the North Koreans are focused on stealing money or intellectual property that could be used for the country’s weapons programs. She also argued that cutting off the profitability of North Korea’s hacks is one of the best ways to deter them.
“The goal is to aggressively cut the profitability of the regime’s hacking,” she said.
North Korea’s proficiency in computer warfare has surprised onlookers for almost a decade now.
They famously burst onto the public consciousness in 2014, when Pyongyang’s operatives hacked into Sony Pictures Entertainment and threatened the movie studio against releasing “The Interview,” a raunchy comedy that portrayed the assassination of Kim Jong Un. Years later, in 2017, they unleashed a self-spreading computer virus that is estimated to have caused
billions of dollars in damages
in a matter of hours.
But in addition to the growing technical proficiency of North Korean hackers, it is the volume and variety of their activity that has recently alarmed onlookers.
In the last 18 months, U.S. intelligence agencies have warned that Pyongyang is targeting
think tanks and academics
to collect intelligence and
staging ransomware attacks
— in which they scramble victims’ data until they pay an extortion fee — against U.S. healthcare companies.
More recently, the Justice Department, FBI and Treasury Department
have also accused
Pyongyang of dispatching thousands of tech workers to Russia and China, where they secured remote IT jobs with global companies under a false identity, and then funneled their salaries back to the regime.
In one recent case
that received little attention outside the region, North Korean hackers conspired with insiders at a South Korean data recovery company to bilk millions from unwitting victims of Pyongyang’s attacks.
Just a fraction of that money appears to have found its way back to Pyongyang, according to South Korean law enforcement. But the scheme dated back to 2017 and involved a variant of ransomware that was not previously linked to Pyongyang.
The case speaks to how creative the country has gotten at finding ways to avoid scrutiny and skirt international sanctions, said Erin Plante, vice president of investigations at Chainalysis.
“It shows that they’re always thinking outside the box, evolving and keeping up with the news in the same way we do, which is a little bit scary,” she said.
Michael Barnhart, a North Korea expert at cybersecurity firm Mandiant, said the scheme was reminiscent of several other operations the country’s hacking forces have pulled off in recent memory — some of which are not yet public.
The common theme, he argued, was how adept Pyongyang has become at mixing cyber operations with more traditional spying and money laundering tactics.
“This is a very, very well-organized criminal family,” he said.